From: Dan Carpenter <dan.carpenter@oracle.com>
To: Adham Abozaeid <adham.abozaeid@microchip.com>
Cc: devel@driverdev.osuosl.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Ajay Singh <ajay.kathat@microchip.com>,
kernel-janitors@vger.kernel.org, linux-wireless@vger.kernel.org
Subject: [PATCH] staging: wilc1000: potential corruption in wilc_parse_join_bss_param()
Date: Thu, 17 Oct 2019 12:18:32 +0300
Message-ID: <20191017091832.GB31278@mwanda> (raw)
The "rates_len" value needs to be capped so that the memcpy() doesn't
copy beyond the end of the array.
Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/staging/wilc1000/wilc_hif.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/wilc1000/wilc_hif.c b/drivers/staging/wilc1000/wilc_hif.c
index 0ac2b6ac50b0..e0a95c5cc0d5 100644
--- a/drivers/staging/wilc1000/wilc_hif.c
+++ b/drivers/staging/wilc1000/wilc_hif.c
@@ -479,6 +479,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len);
if (rates_ie) {
rates_len = rates_ie[1];
+ if (rates_len > WILC_MAX_RATES_SUPPORTED)
+ rates_len = WILC_MAX_RATES_SUPPORTED;
param->supp_rates[0] = rates_len;
memcpy(¶m->supp_rates[1], rates_ie + 2, rates_len);
}
--
2.20.1
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next reply index
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-17 9:18 Dan Carpenter [this message]
2019-10-17 17:06 ` Adham.Abozaeid
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191017091832.GB31278@mwanda \
--to=dan.carpenter@oracle.com \
--cc=adham.abozaeid@microchip.com \
--cc=ajay.kathat@microchip.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
DriverDev-Devel Archive on lore.kernel.org
Archives are clonable:
git clone --mirror https://lore.kernel.org/driverdev-devel/0 driverdev-devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 driverdev-devel driverdev-devel/ https://lore.kernel.org/driverdev-devel \
driverdev-devel@linuxdriverproject.org devel@driverdev.osuosl.org
public-inbox-index driverdev-devel
Example config snippet for mirrors
Newsgroup available over NNTP:
nntp://nntp.lore.kernel.org/org.linuxdriverproject.driverdev-devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git